From September 1, 2015, companies operating in Russia will be required to store their users’ or clients’ personal data on servers located physically on Russian territory.
A white paper released by East-West Digital News, in partnership with EY and leading market players, sheds full light on the legal and organizational aspects of the matter.
When adopted last year, this legislation triggered a wave of criticism in and outside Russia. Some foreign players even saw in the new rules a move to a North Korean style of governance – and the beginning of the end to their digital business in Russia.
Indeed, this new legislation poses new challenges for many foreign and domestic players that store their users’ data in borderless clouds – with considerable differences depending on the sector and type of business.
From a practical point of view, however, businesses can in most cases continue operating with Russian users or consumers – provided that they implement a series of identified organizational, technical and legal steps.
Explaining these steps is the purpose of this EWDN white paper, to which contributed senior experts from EY and J’son & Partners, data-center operators IXcellerate, DataSpace and Selectel, and international payment company PayU.
In addition to recommendations on how to transfer data to Russia, the white paper includes a comprehensive legal analysis of the questions that will arise after the data is transferred to Russia — how law-abiding businesses should organize the collection and protection of personal data, and how can they use them, taking into account Russia’s demanding legislation.
Summary
How businesses have reacted to the law:
- Guy Willner, CEO of data center company IXcellerate: “Local enterprises are aware of the law, but until recently many had little idea of what exactly was needed in order to comply. As for international players I was meeting in London, many were not even aware of the new law. In large companies, some employees seemed to be aware, but were waiting for instructions from senior management to react.”
- David Hamner, Chairman of data center company DataSpace: “Timeline is a challenge and many companies won’t meet the September date. However many believe that if they can demonstrate activities to become compliant they may be granted some extensions or be subject to some manageable level of financial penalty.”
Five fundamental legal requirements for dealing with personal data in Russia
- Personal data may be collected, stored and used only with the consent of the data subject (the person to whom the data refers), preferably in written form
- Starting from September 2015, personal data should be processed by means of information databases that are physically located on Russian territory.
- Data operators storing personal data are liable for keeping such data confidential and are not permitted to transfer, share or disclose such data without the consent of the data subject, with special attention paid to internal control mechanisms.
- Full protection of personal data should be provided through a range of organizational and technical measures defined by the law.
- The operator should draft and make publicly available an internal policy for processing personal data.
These rules apply specifically to personal data – which should not be confused with any user-related data. According to Russian law, the primary characteristic of “personal data” is the ability to identify among many persons a specific, unique individual.
Top 5 data migration tips
- Give yourself a long timespan to fully implement the migration process. Just the delivery of servers itself can take up to two months alone, while testing after installation can also take several months. This adds up to a process that can easily stretch up to eight months.
- Find a reliable local partner to assist you with the process. Involve head office team into the selection process.
- Use existing import channels to move equipment. Usually your Russia-based data center will have a number of reliable and previously tested partners to recommend. These should be large local business integrators, or international suppliers who have a dealer network in the country.
- Manage complexity by transparent communication: make sure there is full understanding of the installation design by all parties involved. Language barriers and complex terminology can create major problems between client and contractor in this regard.
- Don’t forget about after-migration support: the data-center team and other participating parties should be on stand-by after launch. A properly run data center will have client service thoroughly specified, with procedures, documentation, a 24-hour bi-lingual emergency phone line in place and an online ticketing system to track status.
